Jump to content
Tuts 4 You

Code Segment

rcemoss

By rcemoss
in Programming and Coding

Recommended Posts

rcemoss

rcemoss

Posted
Posted

Got a window that has a field for a machine specific license and a field for a key that pops the getwindowtexta in the following code with every keystroke until the field is filled. TIA for any explanation of code.

.text:004F0FAD align 10h

.text:004F0FB0 push 0FFFFFFFFh

.text:004F0FB2 push offset loc_579A18

.text:004F0FB7 mov eax, large fs:0

.text:004F0FBD push eax

.text:004F0FBE mov large fs:0, esp

.text:004F0FC5 push ecx

.text:004F0FC6 push esi

.text:004F0FC7 mov esi, ecx

.text:004F0FC9 lea ecx, [esp+4]

.text:004F0FCD call ??0CString@@QAE@XZ ; CString::CString(void)

.text:004F0FD2 lea eax, [esp+4]

.text:004F0FD6 mov ecx, esi

.text:004F0FD8 push eax

.text:004F0FD9 push 4D0h

.text:004F0FDE mov dword ptr [esp+18h], 0

.text:004F0FE6 call ?GetDlgItem@CWnd@@QBEPAV1@H@Z ; CWnd::GetDlgItem(int)

.text:004F0FEB mov ecx, eax

.text:004F0FED call ?GetWindowTextA@CWnd@@QBEXAAVCString@@@Z ; CWnd::GetWindowTextA(CString &)

.text:004F0FF2 lea ecx, [esp+4]

.text:004F0FF6 call ?TrimLeft@CString@@QAEXXZ ; CString::TrimLeft(void)

.text:004F0FFB lea ecx, [esp+4]

.text:004F0FFF call ?TrimRight@CString@@QAEXXZ ; CString::TrimRight(void)

.text:004F1004 lea ecx, [esp+4]

.text:004F1008 call ?MakeUpper@CString@@QAEXXZ ; CString::MakeUpper(void)

.text:004F100D mov eax, [esp+4]

.text:004F1011 cmp dword ptr [eax-8], 14h

.text:004F1015 jl short loc_4F103A

.text:004F1017 push eax

.text:004F1018 call sub_4EF910

.text:004F101D add esp, 4

.text:004F1020 test eax, eax

.text:004F1022 jz short loc_4F103A

.text:004F1024 push 1

.text:004F1026 push 1

.text:004F1028 mov ecx, esi

.text:004F102A call ?GetDlgItem@CWnd@@QBEPAV1@H@Z ; CWnd::GetDlgItem(int)

.text:004F102F mov ecx, eax

.text:004F1031 call ?EnableWindow@CWnd@@QAEHH@Z ; CWnd::EnableWindow(int)

.text:004F1036 push 0

.text:004F1038 jmp short loc_4F104E

enhzflep

enhzflep

Posted
Posted (edited)

Basically, from what I can tell - the code you've shown is doing the following:

4F0FCD: create new string variable (this is MS Visual C++ mfc code)

4F0FE6: get handle of dialog item (text input box), number 1232d (4D0h)

4F0FED: get text of window identified by above handle, and put it into our new string variable

4F0FF6: remove leading spaces from entered text " Hello World " ----> "Hello World "

4F0FFF: remove trailing spaces from text "Hello World " ---> "Hello World"

4F1008: convert to upper-case "Hello World" ---> "HELLO WORLD"

4F1011: check string length = 20 (14h)

4F1015: jump to buggerOff if length is less than 20

4F1018: ?????????

4F1020: check that eax contains something after function call

4F1022: jump to buggerOff if we get a 0 return value from above function

4F102A: get a window handle

4F1031: Enable/Disable the window (Enable, I think - does a button become usable at some point?)

4F1038: jmp to buggerOff2

buggerOff: (4F103A)

...

...

...

...

...

buggerOff2: (4F104E)

If you could get a graph-view of this code in IDA Pro you should be able to get a better idea of just what's happening.

Just look for the longest/most complex path right near the serial number entry code. This is typically the successfull activation/registration path - the one with the most chances to be given a BadBoy message.

Without knowing what comes after the code you posted, it's a little hard to tell, though I'd be surprised if the actuall checking of the ser-num didn't come somewhere not far below the bottom of this code-fragment.

Hope that helps shed a little light on it.

post-36039-1210386843_thumb.png

Edited by enhzflep
rcemoss

rcemoss

Posted
  • Author
Posted (edited)
Basically, from what I can tell - the code you've shown is doing the following:

4F0FCD: create new string variable (this is MS Visual C++ mfc code)

4F0FE6: get handle of dialog item (text input box), number 1232d (4D0h)

4F0FED: get text of window identified by above handle, and put it into our new string variable

4F0FF6: remove leading spaces from entered text " Hello World " ----> "Hello World "

4F0FFF: remove trailing spaces from text "Hello World " ---> "Hello World"

4F1008: convert to upper-case "Hello World" ---> "HELLO WORLD"

4F1011: check string length = 20 (14h)

4F1015: jump to buggerOff if length is less than 20

4F1018: ?????????

4F1020: check that eax contains something after function call

4F1022: jump to buggerOff if we get a 0 return value from above function

4F102A: get a window handle

4F1031: Enable/Disable the window (Enable, I think - does a button become usable at some point?)

4F1038: jmp to buggerOff2

buggerOff: (4F103A)

...

...

...

...

...

buggerOff2: (4F104E)

If you could get a graph-view of this code in IDA Pro you should be able to get a better idea of just what's happening.

Just look for the longest/most complex path right near the serial number entry code. This is typically the successfull activation/registration path - the one with the most chances to be given a BadBoy message.

Without knowing what comes after the code you posted, it's a little hard to tell, though I'd be surprised if the actuall checking of the ser-num didn't come somewhere not far below the bottom of this code-fragment.

Hope that helps shed a little light on it.

Great help, turns out that the 4F1031 turns on the "Unlock" button so the routine at 4F1018 appears to check the 20 character string gathered at 4F0FED. I've posted the code for 4F1018 along with attached flowchart for same if anyone has time to take a look. TIA.

004EF910 sub_4EF910 proc near ; CODE XREF: sub_4EF520+61p

004EF910 ; sub_4EF520+EFp ...

004EF910

004EF910 var_30 = dword ptr -30h

004EF910 var_2C = dword ptr -2Ch

004EF910 var_28 = dword ptr -28h

004EF910 var_24 = byte ptr -24h

004EF910 var_20 = byte ptr -20h

004EF910 var_1C = byte ptr -1Ch

004EF910 var_18 = byte ptr -18h

004EF910 var_14 = byte ptr -14h

004EF910 var_10 = byte ptr -10h

004EF910 var_C = dword ptr -0Ch

004EF910 var_4 = dword ptr -4

004EF910 arg_0 = dword ptr 4

004EF910

004EF910 mov eax, large fs:0

004EF916 push 0FFFFFFFFh

004EF918 push offset SEH_4EF910

004EF91D push eax

004EF91E mov eax, [esp+0Ch+arg_0]

004EF922 mov large fs:0, esp

004EF929 sub esp, 24h

004EF92C push ebx

004EF92D push ebp

004EF92E xor ebp, ebp

004EF930 push esi

004EF931 cmp eax, ebp

004EF933 push edi

004EF934 jnz short loc_4EF94B

004EF936 pop edi

004EF937 pop esi

004EF938 pop ebp

004EF939 xor eax, eax

004EF93B pop ebx

004EF93C mov ecx, [esp+30h+var_C]

004EF940 mov large fs:0, ecx

004EF947 add esp, 30h

004EF94A retn

004EF94B ; ---------------------------------------------------------------------------

004EF94B

004EF94B loc_4EF94B: ; CODE XREF: sub_4EF910+24j

004EF94B push eax

004EF94C lea ecx, [esp+44h+arg_0]

004EF950 mov [esp+44h+var_2C], ebp

004EF954 call ??0CString@@QAE@PBD@Z ; CString::CString(char const *)

004EF959 mov eax, [esp+40h+arg_0]

004EF95D mov [esp+40h+var_4], ebp

004EF961 mov eax, [eax-8]

004EF964 cmp eax, 14h

004EF967 jge short loc_4EF98F

004EF969 lea ecx, [esp+40h+arg_0]

004EF96D mov [esp+40h+var_4], 0FFFFFFFFh

004EF975 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EF97A pop edi

004EF97B pop esi

004EF97C pop ebp

004EF97D xor eax, eax

004EF97F pop ebx

004EF980 mov ecx, [esp+30h+var_C]

004EF984 mov large fs:0, ecx

004EF98B add esp, 30h

004EF98E retn

004EF98F ; ---------------------------------------------------------------------------

004EF98F

004EF98F loc_4EF98F: ; CODE XREF: sub_4EF910+57j

004EF98F cmp eax, 11h

004EF992 jge short loc_4EF9BA

004EF994 lea ecx, [esp+40h+arg_0]

004EF998 mov [esp+40h+var_4], 0FFFFFFFFh

004EF9A0 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EF9A5 pop edi

004EF9A6 pop esi

004EF9A7 pop ebp

004EF9A8 xor eax, eax

004EF9AA pop ebx

004EF9AB mov ecx, [esp+30h+var_C]

004EF9AF mov large fs:0, ecx

004EF9B6 add esp, 30h

004EF9B9 retn

004EF9BA ; ---------------------------------------------------------------------------

004EF9BA

004EF9BA loc_4EF9BA: ; CODE XREF: sub_4EF910+82j

004EF9BA lea ecx, [esp+40h+arg_0]

004EF9BE call ?MakeUpper@CString@@QAEXXZ ; CString::MakeUpper(void)

004EF9C3 push 43h

004EF9C5 push ebp

004EF9C6 lea ecx, [esp+48h+arg_0]

004EF9CA call ?SetAt@CString@@QAEXHD@Z ; CString::SetAt(int,char)

004EF9CF push 50h

004EF9D1 push 1

004EF9D3 lea ecx, [esp+48h+arg_0]

004EF9D7 call ?SetAt@CString@@QAEXHD@Z ; CString::SetAt(int,char)

004EF9DC mov ecx, [esp+40h+arg_0]

004EF9E0 xor edi, edi

004EF9E2 xor esi, esi

004EF9E4 mov eax, [ecx-8]

004EF9E7 add eax, 0FFFFFFFDh

004EF9EA test eax, eax

004EF9EC jle short loc_4EFA31

004EF9EE

004EF9EE loc_4EF9EE: ; CODE XREF: sub_4EF910+11Fj

004EF9EE push 1

004EF9F0 lea edx, [esp+44h+var_28]

004EF9F4 push esi

004EF9F5 push edx

004EF9F6 lea ecx, [esp+4Ch+arg_0]

004EF9FA call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EF9FF mov eax, [eax]

004EFA01 push ebp

004EFA02 push eax

004EFA03 mov ecx, offset dword_5C6CB8

004EFA08 mov byte ptr [esp+48h+var_4], 1

004EFA0D call ?Find@CString@@QBEHPBDH@Z ; CString::Find(char const *,int)

004EFA12 lea ecx, [esp+40h+var_28]

004EFA16 add edi, eax

004EFA18 mov byte ptr [esp+40h+var_4], 0

004EFA1D call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFA22 mov eax, [esp+40h+arg_0]

004EFA26 inc esi

004EFA27 mov eax, [eax-8]

004EFA2A add eax, 0FFFFFFFDh

004EFA2D cmp esi, eax

004EFA2F jl short loc_4EF9EE

004EFA31

004EFA31 loc_4EFA31: ; CODE XREF: sub_4EF910+DCj

004EFA31 mov ecx, dword_5C6CB8

004EFA37 mov eax, edi

004EFA39 cdq

004EFA3A mov ecx, [ecx-8]

004EFA3D or edi, 0FFFFFFFFh

004EFA40 idiv ecx

004EFA42 cmp edx, 23h

004EFA45 jl short loc_4EFA49

004EFA47 mov edx, edi

004EFA49

004EFA49 loc_4EFA49: ; CODE XREF: sub_4EF910+135j

004EFA49 inc edx

004EFA4A push 1

004EFA4C push edx

004EFA4D lea edx, [esp+48h+var_28]

004EFA51 push edx

004EFA52 mov ecx, offset dword_5C6CB8

004EFA57 call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EFA5C mov eax, [eax]

004EFA5E lea ecx, [esp+40h+var_28]

004EFA62 mov bl, [eax]

004EFA64 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFA69 push 1

004EFA6B lea ecx, [esp+44h+var_28]

004EFA6F push 11h

004EFA71 push ecx

004EFA72 lea ecx, [esp+4Ch+arg_0]

004EFA76 call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EFA7B mov edx, [eax]

004EFA7D mov cl, [edx]

004EFA7F cmp bl, cl

004EFA81 lea ecx, [esp+40h+var_28]

004EFA85 setnz bl

004EFA88 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFA8D test bl, bl

004EFA8F jz short loc_4EFAB3

004EFA91 lea ecx, [esp+40h+arg_0]

004EFA95 mov [esp+40h+var_4], edi

004EFA99 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFA9E pop edi

004EFA9F pop esi

004EFAA0 pop ebp

004EFAA1 xor eax, eax

004EFAA3 pop ebx

004EFAA4 mov ecx, [esp+30h+var_C]

004EFAA8 mov large fs:0, ecx

004EFAAF add esp, 30h

004EFAB2 retn

004EFAB3 ; ---------------------------------------------------------------------------

004EFAB3

004EFAB3 loc_4EFAB3: ; CODE XREF: sub_4EF910+17Fj

004EFAB3 lea eax, [esp+40h+var_24]

004EFAB7 push eax

004EFAB8 call sub_4F0110

004EFABD lea ecx, [esp+44h+var_28]

004EFAC1 push eax

004EFAC2 push ecx

004EFAC3 mov byte ptr [esp+4Ch+var_4], 2

004EFAC8 call sub_4F0480

004EFACD add esp, 0Ch

004EFAD0 lea ecx, [esp+40h+var_24]

004EFAD4 mov byte ptr [esp+40h+var_4], 4

004EFAD9 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFADE mov edx, [esp+40h+var_28]

004EFAE2 mov eax, [edx-8]

004EFAE5 cmp eax, 4

004EFAE8 jl short loc_4EFB69

004EFAEA lea eax, [esp+40h+var_1C]

004EFAEE push 4

004EFAF0 push eax

004EFAF1 lea ecx, [esp+48h+var_28]

004EFAF5 call ?Right@CString@@QBE?AV1@H@Z ; CString::Right(int)

004EFAFA mov esi, [eax]

004EFAFC push 4

004EFAFE lea ecx, [esp+44h+var_20]

004EFB02 push 0Ah

004EFB04 push ecx

004EFB05 lea ecx, [esp+4Ch+arg_0]

004EFB09 mov byte ptr [esp+4Ch+var_4], 5

004EFB0E call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EFB13 mov eax, [eax]

004EFB15

004EFB15 loc_4EFB15: ; CODE XREF: sub_4EF910+227j

004EFB15 mov dl, [eax]

004EFB17 mov bl, [esi]

004EFB19 mov cl, dl

004EFB1B cmp dl, bl

004EFB1D jnz short loc_4EFB3D

004EFB1F test cl, cl

004EFB21 jz short loc_4EFB39

004EFB23 mov dl, [eax+1]

004EFB26 mov bl, [esi+1]

004EFB29 mov cl, dl

004EFB2B cmp dl, bl

004EFB2D jnz short loc_4EFB3D

004EFB2F add eax, 2

004EFB32 add esi, 2

004EFB35 test cl, cl

004EFB37 jnz short loc_4EFB15

004EFB39

004EFB39 loc_4EFB39: ; CODE XREF: sub_4EF910+211j

004EFB39 xor eax, eax

004EFB3B jmp short loc_4EFB41

004EFB3D ; ---------------------------------------------------------------------------

004EFB3D

004EFB3D loc_4EFB3D: ; CODE XREF: sub_4EF910+20Dj

004EFB3D ; sub_4EF910+21Dj

004EFB3D sbb eax, eax

004EFB3F sbb eax, edi

004EFB41

004EFB41 loc_4EFB41: ; CODE XREF: sub_4EF910+22Bj

004EFB41 test eax, eax

004EFB43 lea ecx, [esp+40h+var_20]

004EFB47 setz bl

004EFB4A call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFB4F lea ecx, [esp+40h+var_1C]

004EFB53 mov byte ptr [esp+40h+var_4], 4

004EFB58 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFB5D test bl, bl

004EFB5F jz short loc_4EFB69

004EFB61 mov [esp+40h+var_2C], 1

004EFB69

004EFB69 loc_4EFB69: ; CODE XREF: sub_4EF910+1D8j

004EFB69 ; sub_4EF910+24Fj

004EFB69 lea eax, [esp+40h+var_1C]

004EFB6D push eax

004EFB6E call sub_4EFF60

004EFB73 lea ecx, [esp+44h+var_30]

004EFB77 push eax

004EFB78 push ecx

004EFB79 mov byte ptr [esp+4Ch+var_4], 6

004EFB7E call sub_4F0480

004EFB83 add esp, 0Ch

004EFB86 lea ecx, [esp+40h+var_1C]

004EFB8A mov byte ptr [esp+40h+var_4], 8

004EFB8F call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFB94 mov edx, [esp+40h+var_30]

004EFB98 mov eax, [edx-8]

004EFB9B cmp eax, 4

004EFB9E jl loc_4EFCA8

004EFBA4 lea eax, [esp+40h+var_10]

004EFBA8 push 4

004EFBAA push eax

004EFBAB lea ecx, [esp+48h+var_30]

004EFBAF call ?Left@CString@@QBE?AV1@H@Z ; CString::Left(int)

004EFBB4 mov esi, [eax]

004EFBB6 push 4

004EFBB8 lea ecx, [esp+44h+var_14]

004EFBBC push 2

004EFBBE push ecx

004EFBBF lea ecx, [esp+4Ch+arg_0]

004EFBC3 mov byte ptr [esp+4Ch+var_4], 9

004EFBC8 call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EFBCD mov eax, [eax]

004EFBCF mov byte ptr [esp+40h+var_4], 0Ah

004EFBD4

004EFBD4 loc_4EFBD4: ; CODE XREF: sub_4EF910+2E6j

004EFBD4 mov dl, [eax]

004EFBD6 mov bl, [esi]

004EFBD8 mov cl, dl

004EFBDA cmp dl, bl

004EFBDC jnz short loc_4EFBFC

004EFBDE test cl, cl

004EFBE0 jz short loc_4EFBF8

004EFBE2 mov dl, [eax+1]

004EFBE5 mov bl, [esi+1]

004EFBE8 mov cl, dl

004EFBEA cmp dl, bl

004EFBEC jnz short loc_4EFBFC

004EFBEE add eax, 2

004EFBF1 add esi, 2

004EFBF4 test cl, cl

004EFBF6 jnz short loc_4EFBD4

004EFBF8

004EFBF8 loc_4EFBF8: ; CODE XREF: sub_4EF910+2D0j

004EFBF8 xor eax, eax

004EFBFA jmp short loc_4EFC00

004EFBFC ; ---------------------------------------------------------------------------

004EFBFC

004EFBFC loc_4EFBFC: ; CODE XREF: sub_4EF910+2CCj

004EFBFC ; sub_4EF910+2DCj

004EFBFC sbb eax, eax

004EFBFE sbb eax, edi

004EFC00

004EFC00 loc_4EFC00: ; CODE XREF: sub_4EF910+2EAj

004EFC00 test eax, eax

004EFC02 jz short loc_4EFC7F

004EFC04 lea eax, [esp+40h+var_18]

004EFC08 push 4

004EFC0A push eax

004EFC0B lea ecx, [esp+48h+var_30]

004EFC0F call ?Left@CString@@QBE?AV1@H@Z ; CString::Left(int)

004EFC14 mov esi, [eax]

004EFC16 push 4

004EFC18 lea ecx, [esp+44h+var_20]

004EFC1C push 6

004EFC1E push ecx

004EFC1F lea ecx, [esp+4Ch+arg_0]

004EFC23 mov byte ptr [esp+4Ch+var_4], 0Bh

004EFC28 call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EFC2D mov eax, [eax]

004EFC2F

004EFC2F loc_4EFC2F: ; CODE XREF: sub_4EF910+341j

004EFC2F mov dl, [eax]

004EFC31 mov bl, [esi]

004EFC33 mov cl, dl

004EFC35 cmp dl, bl

004EFC37 jnz short loc_4EFC57

004EFC39 test cl, cl

004EFC3B jz short loc_4EFC53

004EFC3D mov dl, [eax+1]

004EFC40 mov bl, [esi+1]

004EFC43 mov cl, dl

004EFC45 cmp dl, bl

004EFC47 jnz short loc_4EFC57

004EFC49 add eax, 2

004EFC4C add esi, 2

004EFC4F test cl, cl

004EFC51 jnz short loc_4EFC2F

004EFC53

004EFC53 loc_4EFC53: ; CODE XREF: sub_4EF910+32Bj

004EFC53 xor eax, eax

004EFC55 jmp short loc_4EFC5B

004EFC57 ; ---------------------------------------------------------------------------

004EFC57

004EFC57 loc_4EFC57: ; CODE XREF: sub_4EF910+327j

004EFC57 ; sub_4EF910+337j

004EFC57 sbb eax, eax

004EFC59 sbb eax, edi

004EFC5B

004EFC5B loc_4EFC5B: ; CODE XREF: sub_4EF910+345j

004EFC5B test eax, eax

004EFC5D lea ecx, [esp+40h+var_20]

004EFC61 setz bl

004EFC64 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFC69 lea ecx, [esp+40h+var_18]

004EFC6D mov byte ptr [esp+40h+var_4], 0Ah

004EFC72 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFC77 test bl, bl

004EFC79 jnz short loc_4EFC7F

004EFC7B xor ebp, ebp

004EFC7D jmp short loc_4EFC84

004EFC7F ; ---------------------------------------------------------------------------

004EFC7F

004EFC7F loc_4EFC7F: ; CODE XREF: sub_4EF910+2F2j

004EFC7F ; sub_4EF910+369j

004EFC7F mov ebp, 1

004EFC84

004EFC84 loc_4EFC84: ; CODE XREF: sub_4EF910+36Dj

004EFC84 lea ecx, [esp+40h+var_14]

004EFC88 mov byte ptr [esp+40h+var_4], 9

004EFC8D call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFC92 lea ecx, [esp+40h+var_10]

004EFC96 mov byte ptr [esp+40h+var_4], 8

004EFC9B call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFCA0 test ebp, ebp

004EFCA2 jnz loc_4EFDB2

004EFCA8

004EFCA8 loc_4EFCA8: ; CODE XREF: sub_4EF910+28Ej

004EFCA8 mov eax, [esp+40h+var_30]

004EFCAC cmp dword ptr [eax-8], 8

004EFCB0 jl loc_4EFDB2

004EFCB6 lea ecx, [esp+40h+var_20]

004EFCBA push 4

004EFCBC push ecx

004EFCBD lea ecx, [esp+48h+var_30]

004EFCC1 call ?Right@CString@@QBE?AV1@H@Z ; CString::Right(int)

004EFCC6 mov esi, [eax]

004EFCC8 push 4

004EFCCA lea edx, [esp+44h+var_18]

004EFCCE push 2

004EFCD0 push edx

004EFCD1 lea ecx, [esp+4Ch+arg_0]

004EFCD5 mov byte ptr [esp+4Ch+var_4], 0Ch

004EFCDA call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EFCDF mov eax, [eax]

004EFCE1 mov byte ptr [esp+40h+var_4], 0Dh

004EFCE6

004EFCE6 loc_4EFCE6: ; CODE XREF: sub_4EF910+3F8j

004EFCE6 mov dl, [eax]

004EFCE8 mov bl, [esi]

004EFCEA mov cl, dl

004EFCEC cmp dl, bl

004EFCEE jnz short loc_4EFD0E

004EFCF0 test cl, cl

004EFCF2 jz short loc_4EFD0A

004EFCF4 mov dl, [eax+1]

004EFCF7 mov bl, [esi+1]

004EFCFA mov cl, dl

004EFCFC cmp dl, bl

004EFCFE jnz short loc_4EFD0E

004EFD00 add eax, 2

004EFD03 add esi, 2

004EFD06 test cl, cl

004EFD08 jnz short loc_4EFCE6

004EFD0A

004EFD0A loc_4EFD0A: ; CODE XREF: sub_4EF910+3E2j

004EFD0A xor eax, eax

004EFD0C jmp short loc_4EFD12

004EFD0E ; ---------------------------------------------------------------------------

004EFD0E

004EFD0E loc_4EFD0E: ; CODE XREF: sub_4EF910+3DEj

004EFD0E ; sub_4EF910+3EEj

004EFD0E sbb eax, eax

004EFD10 sbb eax, edi

004EFD12

004EFD12 loc_4EFD12: ; CODE XREF: sub_4EF910+3FCj

004EFD12 test eax, eax

004EFD14 jz short loc_4EFD91

004EFD16 lea eax, [esp+40h+var_14]

004EFD1A push 4

004EFD1C push eax

004EFD1D lea ecx, [esp+48h+var_30]

004EFD21 call ?Right@CString@@QBE?AV1@H@Z ; CString::Right(int)

004EFD26 mov esi, [eax]

004EFD28 push 4

004EFD2A lea ecx, [esp+44h+var_10]

004EFD2E push 6

004EFD30 push ecx

004EFD31 lea ecx, [esp+4Ch+arg_0]

004EFD35 mov byte ptr [esp+4Ch+var_4], 0Eh

004EFD3A call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EFD3F mov eax, [eax]

004EFD41

004EFD41 loc_4EFD41: ; CODE XREF: sub_4EF910+453j

004EFD41 mov dl, [eax]

004EFD43 mov bl, [esi]

004EFD45 mov cl, dl

004EFD47 cmp dl, bl

004EFD49 jnz short loc_4EFD69

004EFD4B test cl, cl

004EFD4D jz short loc_4EFD65

004EFD4F mov dl, [eax+1]

004EFD52 mov bl, [esi+1]

004EFD55 mov cl, dl

004EFD57 cmp dl, bl

004EFD59 jnz short loc_4EFD69

004EFD5B add eax, 2

004EFD5E add esi, 2

004EFD61 test cl, cl

004EFD63 jnz short loc_4EFD41

004EFD65

004EFD65 loc_4EFD65: ; CODE XREF: sub_4EF910+43Dj

004EFD65 xor eax, eax

004EFD67 jmp short loc_4EFD6D

004EFD69 ; ---------------------------------------------------------------------------

004EFD69

004EFD69 loc_4EFD69: ; CODE XREF: sub_4EF910+439j

004EFD69 ; sub_4EF910+449j

004EFD69 sbb eax, eax

004EFD6B sbb eax, edi

004EFD6D

004EFD6D loc_4EFD6D: ; CODE XREF: sub_4EF910+457j

004EFD6D test eax, eax

004EFD6F lea ecx, [esp+40h+var_10]

004EFD73 setz bl

004EFD76 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFD7B lea ecx, [esp+40h+var_14]

004EFD7F mov byte ptr [esp+40h+var_4], 0Dh

004EFD84 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFD89 test bl, bl

004EFD8B jnz short loc_4EFD91

004EFD8D xor ebp, ebp

004EFD8F jmp short loc_4EFD96

004EFD91 ; ---------------------------------------------------------------------------

004EFD91

004EFD91 loc_4EFD91: ; CODE XREF: sub_4EF910+404j

004EFD91 ; sub_4EF910+47Bj

004EFD91 mov ebp, 1

004EFD96

004EFD96 loc_4EFD96: ; CODE XREF: sub_4EF910+47Fj

004EFD96 lea ecx, [esp+40h+var_18]

004EFD9A mov byte ptr [esp+40h+var_4], 0Ch

004EFD9F call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFDA4 lea ecx, [esp+40h+var_20]

004EFDA8 mov byte ptr [esp+40h+var_4], 8

004EFDAD call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFDB2

004EFDB2 loc_4EFDB2: ; CODE XREF: sub_4EF910+392j

004EFDB2 ; sub_4EF910+3A0j

004EFDB2 mov eax, [esp+40h+var_2C]

004EFDB6 test eax, eax

004EFDB8 jnz short loc_4EFDC2

004EFDBA test ebp, ebp

004EFDBC jz loc_4EFE57

004EFDC2

004EFDC2 loc_4EFDC2: ; CODE XREF: sub_4EF910+4A8j

004EFDC2 push 3

004EFDC4 lea eax, [esp+44h+var_10]

004EFDC8 push 0Eh

004EFDCA push eax

004EFDCB lea ecx, [esp+4Ch+arg_0]

004EFDCF call ?Mid@CString@@QBE?AV1@HH@Z ; CString::Mid(int,int)

004EFDD4 mov eax, [eax]

004EFDD6 push eax ; Str

004EFDD7 call ds:atoi

004EFDDD add esp, 4

004EFDE0 lea ecx, [esp+40h+var_10]

004EFDE4 mov esi, eax

004EFDE6 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFDEB cmp esi, 385h

004EFDF1 jg short loc_4EFE13

004EFDF3 jz short loc_4EFE25

004EFDF5 cmp esi, 14Eh

004EFDFB jz short loc_4EFE0C

004EFDFD cmp esi, 1ECh

004EFE03 jnz short loc_4EFE1B

004EFE05 mov esi, 3

004EFE0A jmp short loc_4EFE2A

004EFE0C ; ---------------------------------------------------------------------------

004EFE0C

004EFE0C loc_4EFE0C: ; CODE XREF: sub_4EF910+4EBj

004EFE0C mov esi, 2

004EFE11 jmp short loc_4EFE2A

004EFE13 ; ---------------------------------------------------------------------------

004EFE13

004EFE13 loc_4EFE13: ; CODE XREF: sub_4EF910+4E1j

004EFE13 cmp esi, 3E6h

004EFE19 jz short loc_4EFE25

004EFE1B

004EFE1B loc_4EFE1B: ; CODE XREF: sub_4EF910+4F3j

004EFE1B xor esi, esi

004EFE1D xor ebp, ebp

004EFE1F mov [esp+40h+var_2C], esi

004EFE23 jmp short loc_4EFE2A

004EFE25 ; ---------------------------------------------------------------------------

004EFE25

004EFE25 loc_4EFE25: ; CODE XREF: sub_4EF910+4E3j

004EFE25 ; sub_4EF910+509j

004EFE25 mov esi, 1

004EFE2A

004EFE2A loc_4EFE2A: ; CODE XREF: sub_4EF910+4FAj

004EFE2A ; sub_4EF910+501j ...

004EFE2A call ?AfxGetModuleState@@YGPAVAFX_MODULE_STATE@@XZ ; AfxGetModuleState(void)

004EFE2F mov eax, [eax+4]

004EFE32 push 0

004EFE34 push offset off_5BA6B8

004EFE39 push offset off_5BA6A0

004EFE3E push 0

004EFE40 push eax

004EFE41 call __RTDynamicCast

004EFE46 mov eax, [eax+0D8h]

004EFE4C add esp, 14h

004EFE4F mov ecx, eax

004EFE51 push esi

004EFE52 call sub_403AB0

004EFE57

004EFE57 loc_4EFE57: ; CODE XREF: sub_4EF910+4ACj

004EFE57 lea ecx, [esp+40h+var_30]

004EFE5B mov byte ptr [esp+40h+var_4], 4

004EFE60 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFE65 lea ecx, [esp+40h+var_28]

004EFE69 mov byte ptr [esp+40h+var_4], 0

004EFE6E call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFE73 test ebp, ebp

004EFE75 jnz short loc_4EFE83

004EFE77 mov eax, [esp+40h+var_2C]

004EFE7B test eax, eax

004EFE7D jnz short loc_4EFE83

004EFE7F xor esi, esi

004EFE81 jmp short loc_4EFE88

004EFE83 ; ---------------------------------------------------------------------------

004EFE83

004EFE83 loc_4EFE83: ; CODE XREF: sub_4EF910+565j

004EFE83 ; sub_4EF910+56Dj

004EFE83 mov esi, 1

004EFE88

004EFE88 loc_4EFE88: ; CODE XREF: sub_4EF910+571j

004EFE88 lea ecx, [esp+40h+arg_0]

004EFE8C mov [esp+40h+var_4], edi

004EFE90 call ??1CString@@QAE@XZ ; CString::~CString(void)

004EFE95 mov ecx, [esp+40h+var_C]

004EFE99 mov eax, esi

004EFE9B pop edi

004EFE9C pop esi

004EFE9D pop ebp

004EFE9E pop ebx

004EFE9F mov large fs:0, ecx

004EFEA6 add esp, 30h

004EFEA9 retn

004EFEA9 sub_4EF910 endp

sub_4EF910_flowchart.rar

sub_4EF910_C_Code.rar

Edited by rcemoss
enhzflep

enhzflep

Posted
Posted

Ouch, that looks like a bitch of a function when dead-listed!

I've been looking over that code mate, and while I thought I had nutted it out, on closer inspection I'm wondering if it doesn't write to memory elsewhere in the program, thus voiding any efort to simply set eax + ecx and exit. Gotta say thanks mate, without seeing this code I'd probably still be without the HexRays decomp. How good is that thing?! Sure, ity doesn't always get it right, as we can see from it thinking that the input to this func is an int, but it's still well worth someone else's money. :whistling:

Perhaps this code's operation would be clearer if seen live and running, though without that it seems as though the function return in the bottom left of the graph is the desired end-point of the function. Does it work ok if you manipulate the jumps so that the function exits with eax not = to 0? Or even, what happens if you simply set eax to 1 & avoid the call to this function alltogether, does it still fall over elsewhere? Is this function called only once near the start somewhere, or does it get a continual thrashing? Hmm, questions, questions.

If you could mention the name of the target, I'd be more than a litttle interested in having a closer look (even if it was something as useless to me as a kid's educational prog) - you know? It's the locked door, not the contents that make this pursuit so engaging..

Me puts on my Fravia hat & goes looking for a challenge....

enhzflep

enhzflep

Posted
Posted (edited)

I've had a bit of a play with the target, and while I'm not much of a fisherman it does function okay. It seems that the registration scheme is in fact the big long function you posted. Notice that in all exits from the function except for one, that eax is xored with itself? If you get this function to return 1 in eax, the program is perfectly haapy, and tells you you've registered and removes the 14 day trial period message.

All I did was put breakpoints on all the RETs for the function, then changed eax to 1 before allowing the function to exit. It seemed to function fine. I noticed that the same function is called from about 5 places in the program, so figured that it may be the real-deal, and not just some function to tell the program if it can enable the "Register" button or not.

I see that the number I was trying at the time is the number displayed as my entered serial. I suppose 1 of those 5 checks would have been comparing the saved serial to see if it was valid. I can't be certain that this fix will work - you may just have to enter something as the serial number, so that the 20 chars or more condition is satisfied. I dunno, you'll have to have a play around with it.

Anyway, it's just 3 instructions. If you goto RVA 004EF910, you'll be at the start of the start of the function called from 4F1018. This is the checkRegistration function.

If you assemble in these 3 instructions, the checkRegistration function always returns 1.

xor eax, eax

inc eax

ret

and you're done.

EDIT: confimed. Install, patch, run. - You also have to disable the Registration option under the Help menu - it appears with the Close button disabled, and no way of exiting the dialog.

Edited by enhzflep
  • 2 weeks later...
rcemoss

rcemoss

Posted
  • Author
Posted

Works great, I had set breaks on all the returns but wasn't smart enough to put together setting the EAX, instead I was just trying to hit the proper return point. I greatly appreciate you taking a look. Sorry for the late reply was on holiday and spouse wouldn't let me open the laptop.

enhzflep

enhzflep

Posted
Posted (edited)

Heh, heh. Nah, I was just too lazy to try to get to the correct return point, I tried it as a quick hack, and it worked. I just got lucky. No dramas about reply speed, - I'm happy to have learned during the course of the exercise. I mean, I wouldn't have hunted down the excellent decompiler plugin for IDA without your questions.

Thank-you

Now all I gotta do is cancel the damn emails that they keeps sending me about my schedule...

Edited by enhzflep

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...